Change permissions of binaries (executables, and probably shared libraries as well) to make them non-writeable even by owner (usually root). This makes it more difficult for an exploit of a program running with restricted capabilities to overwrite binaries.

In Fedora 12 several daemons (e.g. dhclient, bluez) were modified to drop
unnecessary capabilities (Features/LowerProcessCapabilities), most importantly the "dac_override"
capability, allowing the daemon to ignore file permission bits. This,
in combination with removing some permissions from important system
directories and files (such as /etc/shadow), has restricted the amount
of damage that can be done by exploiting such daemons.

We can extend the protection to all executables by a simple addition to
redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
After applying this patch, executable files in all rebuilt packages
would not be writeable, most often using mode 0555. Because shared libraries are usually executable on Linux, this protects most shared libraries as well; the protection can be explicitly expanded to all shared libraries.

I don't expect any problems from this change (it can affect only daemons
that drop capabilities, and executables owned by other users than root);
in the unusual case where making the executeable not writeable did case
some problems, the packager could override the change by explicitly
specifying the required permissions using %attr in the %files section of
the spec file.

A "build policy" (brp-*) script added to redhat-rpm-config, to be automatically run in at the end of %install. As far as I understand a mass rebuild is not planned for Fedora 13, so not all packages will be affected by this change. Security-critical packages can be intentionally rebuilt to take advantage of the change.

Problems are not expected - but if they do arise, the package can use %attr to override the change. In the absolutely worst case, the redhat-rpm-config patch would be reverted and affected packages rebuilt.

Some executables and shared libraries in this Fedora release have their "write" permission bits reset, to make it more difficult for daemons running as root that have dropped the dac_override capability (notably dhclient) to overwrite these files. More executables be not writeable in future releases of Fedora.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, and JBoss are trademarks or registered trademarks of
Red Hat, Inc. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community
maintained site. Red Hat is not responsible for content.